{
	"id": "af6217ed-41f7-4bb0-8bf3-19b9b3b5f7fd",
	"created_at": "2026-04-06T00:12:55.709459Z",
	"updated_at": "2026-04-10T03:19:57.982134Z",
	"deleted_at": null,
	"sha1_hash": "39a797f3601364ac67dd84274875f3ddc4957b2c",
	"title": "Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 912247,
	"plain_text": "Shade Ransomware Hits High-Tech, Wholesale, Education Sectors\r\nin U.S, Japan, India, Thailand, Canada\r\nBy Brad Duncan\r\nPublished: 2019-05-22 · Archived: 2026-04-05 19:22:45 UTC\r\nShade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running\r\nMicrosoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam)\r\nand exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is\r\nalso distributed through English-language malspam.\r\nWhere is Shade currently appearing? To answer this question, we reviewed recent trends in Shade ransomware\r\namong our customer base. Our results indicate the majority of recent Shade ransomware executables have also\r\ntargeted users outside of Russia.\r\nIn fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of\r\nthe former Soviet Union, they are the United States, Japan, India, Thailand, and Canada, Russia only occurs at\r\nnumber seven and the only other country we found in the top ten where Russian is an official language is\r\nKazakhstan at number ten. The top industries attacked in these countries were High-Tech, Wholesale, and\r\nEducation.\r\nVery Little Change Since 2016\r\nThe Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed\r\nsince 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that\r\nappears during an infection has been the same since Shade was first reported as Troldesh in late 2014.\r\nShade ransomware infections may include other activity like click fraud traffic as noted here.\r\nRussian and English Language Distribution\r\nRecent reports of malspam pushing Shade ransomware have focused on distribution through Russian language\r\nemails. However, Shade decryption instructions have always included English as well as Russian text. English\r\nlanguage waves of malspam have been noted pushing Shade ransomware, like this wave of IRS notifications\r\ntargeting recipients in the United States in 2017.\r\nWhat does a Shade infection look like?\r\nWhen a Windows host is infected with Shade ransomware, its desktop background announces the infection, and\r\nten text files appear on the desktop named README1.txt through README10.txt as shown in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 1 of 7\n\nFigure 1. Desktop of a Windows host infected with Shade ransomware.\r\nThe ten README files all contain the same instructions as shown in Figure 2.\r\nFigure 2. Decryption instructions from a recent Shade ransomware infection.\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 2 of 7\n\nSince June 2016, file extensions for any encrypted files are .crypted000007 as shown in Figure 3.\r\nFigure 3. Examples of encrypted files from a Shade ransomware infection.\r\nShade Distribution through Malspam\r\nMalspam-based infections for Shade ransomware involve a JavaScript (.js) or other type of script-based file\r\ndisguised as an invoice or bill. In some cases, Shade malspam has links for these script-based files. In other cases,\r\nthe files are directly attached to the emails within a zip file or other type of archive. In February 2019, waves of\r\nRussian-language malspam used attached PDF files with links to download zip archives containing these script-based files.\r\nIn all cases we have reviewed, a .js or other script-based file was involved as indicated in Figure 4. These script-based files are designed to retrieve executable files for Shade ransomware.\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 3 of 7\n\nFigure 4. Flow chart for malspam-based Shade ransomware infections.\r\nExecutable delivery during the infection chain\r\nMalspam-based Shade infection chains have one thing in common. They all involve retrieving an executable file\r\nfrom a compromised server. By focusing on the executable in this chain of events, we can determine where Shade\r\nransomware infection attempts have occurred.\r\nAutoFocus search parameters\r\nAutoFocus has a Shade ransomware tag that identifies any items associated with Shade ransomware. We searched\r\non attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search\r\non packed executable (PE) files sent through a URL over TCP port 80.\r\nSince we're trying to determine geographic locations among our customer base where Shade ransomware attempts\r\nhave happened, we looked for the country of Palo Alto Networks devices that discovered these attempts.\r\nThis search is for the first quarter of 2019.\r\nFinally, our query eliminated any obvious malware submissions to online sandboxes and online sharing services.\r\nOur search parameters from the AutoFocus database were:\r\nDate is in the range from January 1st through March 31st\r\nUnit 42 tag is for Shade ransomware\r\nFile type is PE\r\nFile URL has any value but is not unknown\r\nSource port (the TCP port the file came from) is 80\r\nDevice Country has any value (is not blank or unidentified)\r\nFile URL does not contain the string /malware/\r\nFile URL does not contain the string malshare.com\r\nFile URL does not contain the string paloaltonetworks\r\nFile URL does not contain the string local\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 4 of 7\n\nFigure 5. An AutoFocus query for Shade ransomware executables in the first quarter of 2019.\r\nResults from January through March 2019\r\nOur search results from January through March 2019 revealed 307 Shade ransomware samples over 6,536\r\nsessions. Each session represents an HTTP request for a URL hosting a Shade ransomware executable. Many of\r\nthese URLs were seen multiple times in separate sessions. Locations of our top ten results were:\r\nUnited States - 2,010 sessions\r\nJapan - 1,677 sessions\r\nIndia - 989 sessions\r\nThailand - 723 sessions\r\nCanada - 712 sessions\r\nSpain - 505 sessions\r\nRussian Federation - 86 sessions\r\nFrance - 71 sessions\r\nUnited Kingdom - 67 sessions\r\nKazakhstan - 21 sessions\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 5 of 7\n\nFigure 6. Top ten countries from our AutoFocus search results as shown on a world map.\r\nThe top country with Shade ransomware infection attempts among our customer base was the United States. The\r\nvast majority of these for URLs hosting Shade ransomware executables were reported from customer devices\r\noutside of Russia and Russian language countries.\r\nThe top 10 verticals for this period were:\r\nHigh Tech: 5,009 sessions\r\nWholesale and Retail: 722 sessions\r\nEducation: 720 sessions\r\nTelecommunications: 311 sessions\r\nFinance: 51 sessions\r\nTransportation and Logistics: 24 sessions\r\nManufacturing: 32 sessions\r\nProfessional and Legal Services: 8 sessions\r\nUtilities and Energy: 4 sessions\r\nState and Local Government: 1 session\r\nConclusion\r\nThe top country with Shade ransomware infection attempts among our customer base was the United States. The\r\nvast majority of these for URLs hosting Shade ransomware executables were reported from customer devices\r\noutside of Russia and Russian language countries.\r\nThe most common target for Shade ransomware infection attempts were organizations that fell under the High\r\nTech category.\r\nThese results are likely skewed towards English due to our customer base. However, they indicate Shade\r\nransomware is very active outside of Russia and possibly targeting more English-speaking victims than Russian.\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 6 of 7\n\nPalo Alto Networks customers are protected from Shade ransomware by our threat prevention platform which\r\neasily detects these executables. AutoFocus users can track Shade ransomware attempts by using the Shade tag.\r\nSee the appendices below for details on recent Shade ransomware samples we discovered in March and April\r\n2019.\r\nAppendix A\r\n73 recent SHA256 file hashes for Shade ransomware executable files found in March and April 2019. Information\r\nis available at: https://github.com/pan-unit42/iocs/blob/master/Shade_ransomware/Shade-ransomware-SHA256-\r\nhashes-March-and-April-2019.txt\r\nAppendix B\r\n203 recent URLs that returned Shade ransomware executable files in March and April 2019. Information is\r\navailable at: https://github.com/pan-unit42/iocs/blob/master/Shade_ransomware/Shade-ransomware-URLs-March-and-April-2019.txt\r\nSource: https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canad\r\na/\r\nhttps://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/\r\nPage 7 of 7\n\nWhat does When a Windows a Shade infection host is infected look like? with Shade ransomware, its desktop background announces the infection, and\nten text files appear on the desktop named README1.txt through README10.txt as shown in Figure 1.\n   Page 1 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/"
	],
	"report_names": [
		"shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada"
	],
	"threat_actors": [],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39a797f3601364ac67dd84274875f3ddc4957b2c.pdf",
		"text": "https://archive.orkl.eu/39a797f3601364ac67dd84274875f3ddc4957b2c.txt",
		"img": "https://archive.orkl.eu/39a797f3601364ac67dd84274875f3ddc4957b2c.jpg"
	}
}